Hello.
I have a quite annoying problem. The most annoying thing about it is that it's somewhat erratic. For some users the VPN always works, but some report that the VPN gets properly connected but no traffic is coming through. And even for those clients for whom it doesn't work it happens to work sometimes (after some five, ten or twenty reconnections).
On the VPN server's side everything looks ok. The SA's are created, the dynvpn users are reported as connected, even show security flow session for client's IP shows traffic (both directions!). But the traffic does not show on client's machine. So, for example, the ping shows no response even though flow session on the SRX shows traffic counters in both directions.
What's most puzzling about it is that it happens only for some clients (and I cannot find any common factor here) and not always, so I have no clue how to debug it. To make things harder - on my laptop everything works perfectly OK.
For example, the same user that reports VPN "not working" from his virtual machine with Windows 10 says that it's working perfectly OK from his linux host (via patched vpnc client). I think that only Windows 10 machines are troubled with this issue but not all of them. My fresh "debug" instance which I installed lately specificaly for troubeshooting this problem (normaly I use W8.1) works OK. I thought that maybe it has something to do with McAfee agent on users' laptops but my W10 also has it and still works good.
So I'm completely stuck.
If anyone has any idea what might be causing this... Or at least where to start looking.
Relevant excerpts from config:
security {
ike {
policy Dyn-vpn-P3 {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "edited out";
}
gateway dyn-vpn-local-test-gw {
ike-policy Dyn-vpn-P3;
dynamic {
hostname vpngw;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
aaa {
access-profile vpn-ldap;
}
}
ipsec {
policy test-dyn-vpn-policy {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn test-dyn-vpn {
ike {
gateway dyn-vpn-local-test-gw;
ipsec-policy test-dyn-vpn-policy;
}
}
}
alg {
dns disable;
ftp disable;
msrpc disable;
sunrpc disable;
rtsp disable;
talk disable;
tftp disable;
pptp disable;
ike-esp-nat {
enable;
}
}
dynamic-vpn {
access-profile vpn-ldap;
clients {
OFFICE {
remote-protected-resources {
172.16.100.0/24;
10.0.0.0/24;
}
ipsec-vpn test-dyn-vpn;
user-groups {
G-VPN_Office;
}
}
ENG {
remote-protected-resources {
10.0.0.0/24;
172.16.0.0/16;
10.0.3.0/24;
}
ipsec-vpn test-dyn-vpn;
user-groups {
G-VPN_Eng;
}
}
all {
remote-protected-resources {
192.168.10.0/24;
10.0.0.0/24;
172.16.0.0/24;
10.0.3.0/24;
172.16.100.0/24;
}
ipsec-vpn test-dyn-vpn;
user-groups {
G-VPN;
G-VPNLAB;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
policies {
from-zone OUTSIDE to-zone junos-host {
policy IPSec-VPN {
match {
source-address any;
destination-address IP-external;
application [ junos-ike junos-ike-nat isakmp junos-https esp esp-nat-t ];
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone OUTSIDE to-zone SRV {
policy VPN-access-SRV {
match {
source-address VPN-clients-POOL1;
destination-address NET-SRV;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
}
from-zone OUTSIDE to-zone LAB {
policy LAB-VPN-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn test-dyn-vpn;
}
}
count;
}
}
}
[...] (there are more specific entries from zone OUTSIDE to various internal zones permitting traffic from VPN-clients-POOL1)
default-policy {
deny-all;
}
}
security-zone OUTSIDE {
host-inbound-traffic {
system-services {
ike;
ping;
https;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
access {
profile vpn-ldap {
authentication-order ldap;
address-assignment {
pool VPN-POOL;
}
ldap-options {
base-distinguished-name dc=whatever,dc=com;
search {
search-filter samaccountname=;
admin-search {
distinguished-name cn=edited out;
password "edited out"; ## SECRET-DATA
}
}
}
ldap-server {
10.0.0.12;
}
}
address-assignment {
pool VPN-POOL {
family inet {
network 10.0.222.0/24;
range POOL1 {
low 10.0.222.11;
high 10.0.222.200;
}
xauth-attributes {
primary-dns 10.0.0.12/32;
secondary-dns 10.0.0.13/32;
}
}
}
}
firewall-authentication {
pass-through {
default-profile vpn-ldap;
}
web-authentication {
default-profile vpn-ldap;
}
}
}